Microsoft Security Essentials Outperforms Competition

Lifehacker reported in December that Microsoft’s new antivirus and antimalware utility Microsoft Security Essentials ranks as the best performing free antivirus tool:

AV-Comparatives.org ran a series of real-world tests running through common scenarios like downloading, extracting, copying, and encoding files, installing and launching applications…Not only is [Microsoft Security Essentials] one of only three products that both blocks and removes malware well, but it’s also very light on system resources.

You can download Microsoft Security Essentials for free from the Microsoft site. If you or your company already has a paid subscription to an antivirus utility, there is no need to download another one. However, if you are thinking of switching from a different free utility or need an antivirus utility for your home PC, Microsoft Security Essentials is a tried and highly recommended security solution.

You have exceeded your profile space!

Came across an interesting issue today while cleaning a Malware infection from a client computer.  Once I had cleaned the system up enough to load Windows XP in normal mode, I noticed a strange icon in the system tray.  It was a large red circle with a white X, and when the mouse was hovered over the icon the message “Warning! You have exceeded your profile space by XXX KB” was displayed. Opening the program displayed a more detailed message:

34zeutj

Profile Storage Space
You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage

This was on a computer that is not attached to a domain,  with no quotas enabled by the administrator.

It seems that the Malware infection implemented a local security policy on the PC restricting the users profile storage space.  Manually deleting unneeded files from My Documents to reduce the size of the profile had no affect.

Luckily I came across this registry modification that removed the quota and corrected the problem.

Take this code and paste it into notepad. Save the file as quotarem.reg (make sure to save as type All Files to avoid the .TXT extension) and then double click on it to merge the changes into your Windows registry.

Code:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
"EnableProfileQuota"=-
"ProfileQuotaMessage"=-
"MaxProfileSize"=-
"IncludeRegInProQuota"=-
"WarnUser"=-
"WarnUserTimeout"=-

Removal Tools for Common AV Programs

http://kb.eset.com/esetkb/index?page=content&id=SOLN146

Re-enable Registry Editing (regedit)

Often, we run across spyware that may disable registry editing.  When you try to access regedit, you may get the following prompt:

“Registry editing has been disabled by your administrator.”

There are several methods to re-enable the registry editing from this point.  First, the easiest is usually to run this command from the run command or from a command prompt:

REG add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 0 /f

 Log off then back on and try again.  If that didn’t work, you can try the other steps below:

Use GPEDIT to modify the local security policy:

  1. Click Start, Run
  2. Type GPEDIT.MSC and Press Enter
  3. Go to the following location
    • User Configuration
    • Administrative Templates
    • System
  4. In the Settings Window, find the option for “Prevent Access to Registry Editing Tools” and double-click on it to change.
  5. Select Disabled or Not Configured and choose OK
  6. Close the Group Policy Editor and restart your computer
  7. Try opening REGEDIT again

Download this VBS file:

www.dougknox.com/security/scripts_desc/regtools.htm

Missing Tabs In Display Properties

Some spyware may create a desktop background to replace your own.  After doing this, I’ve seen the display properties tabs for modifying the screensaver and wallpaper disappear to prevent the user from getting rid of the malicious wallpaper.  To bring these tabs back, navigate to the following Registry string:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem

Here, you will find the keys responsible.  They are:

NoDispBackgroundPage
NoDispAppearancePage

These will likely be set to 1.  Set them to 0 or delete them to get your tabs back. 

Trend Micro Internet Security 2007 – PcScnSrv.exe Consumes Too Much CPU

Trend Micro’s PcScnSrv.exe process can be seen spiking often to almost 100% of the CPU.  This issue is caused by the Immunization feature of Spybot S&D.  Apprently the two products do not play well together…in fact, during the install of Trend Micro Internet Security 2007, the removal of Spybot S&D is recommended.  If you do have both products installed, Trend Micro’s recommended solution can be found here

The basic steps are this:

1. Open Spybot and go to the Immunize section.
2. Click the undo button to allow all bad products previousely blocked by Spybot.
3. Delete: C:Program FilesTrend MicroInternet Security 2007usrwl.dat
4. Reboot

Better Business Bureau Fraud Emails (microsoft.dll / microsoft.exe)

There is a phishing attempt circulating that sends emails claiming to be from the Better Business Bureau.  The subject line is: “BBB Complaint for {Recipient Name} [Case id: #7dcd4491d93a6cd1f1ac30ad32b4d18d]”  The email that I’ve seen came from: “25153F@bbb.com” although I’m sure there are many.  The email body looks like this:

=================================================

Dear Mr./Mrs. {Recipient Name} ({Company Name})

You have received a complaint in regards to your business services. Use the link below to view the complaint details:

CLICK HERE TO DOWNLOAD AND VIEW DOCUMENTS FOR CASE #B48944

Complaint Case Number: B48944
Complaint Made by Consumer Mrs. Marcia E. Worthington
Complaint Registered Against: {Recipient Name} of {Company Name}

Date: 05/14/2007

Instructions on how to resolve this complaint as well as a copy of the original complaint can be obtained using the link below:

CLICK HERE TO DOWNLOAD AND VIEW DOCUMENTS FOR CASE #B48944

Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them:

• Claims based on product liability;
• Claims for personal injuries;
• Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.

The decision as to whether your dispute or any part of it can be arbitrated rests solely with the BBB.

The BBB offers its members a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.

© 2007 Council of Better Business Bureaus, Inc. All Rights Reserved.

=================================================

I apologize for not being able to provide the actual message header, the email message was deleted by the client. This email contains the following link, under the title: “CLICK HERE TO DOWNLOAD AND VIEW DOCUMENTS FOR CASE #B48944”

http://document-repository.com/redirect.htm?209696923c59b2a19753c85920ddbbb6=435509f28a129 …

This link directs the user to a webpage containing the BBB logo and a single hyperlink:

http://document-repository.com/Complaint_Details_363619942.doc.exe

Upon clicking on the link on this page, a file called “Complaint_Details_363619942.doc.exe” is executed and the following actions are performed:

Files Created:

C:microsoft.exe (Virus!  For more details, click here)
C:microsoft.dll

Registry Entries Created:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun: [Win32KernelStart] “C:microsoft.exe”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce: [Win32KernelStart] “C:microsoft.exe”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices: [Win32KernelStart] “C:microsoft.exe”

Registry Keys Changed:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionAccessibilityUtility ManagerMagnifierApplication Path Changed “magnify.exe” to “C:Microsoft.exe”

The files mentioned above can be removed by first deleting Microsoft.dll then Microsoft.exe using a program called Killbox. The registry keys can be deleted manually, but the last one mentioned above must be changed back to its original value of “magnify.exe.

NewDotNet Spyware

I’ve seen this piece of spyware a few times on client machines and its easy to remove with most spyware apps now.  Whats interesting is what the company actually uses it for.  A good read:

http://cexx.org/newnet.htm

WARNING: Sometimes when you remove this spyware, it can take your Winsock components with it, essentially disabling your network access.  If that happens, use this tool to fix it:

http://www.majorgeeks.com/WinSock_XP_Fix_d4372.html

EDIT:  Alternativly you can use functionality introduced by SP2 –

Windows XP Service Pack 2 – New Winsock NETSH commands

Two new Netsh commands are available in Windows XP Service Pack 2.

netsh winsock reset catalog

This command resets the Winsock catalog to the default configuration. This can be useful if a malformed LSP is installed that results in loss of network connectivity. While use of this command can restore network connectivity, it should be used with care because any previously-installed LSPs will need to be re-installed.

netsh winsock show catalog

This command displays the list of Winsock LSPs that are installed on the computer.

 To output the results to a file type this in Command Prompt (CMD.EXE)

netsh winsock show catalog >C:lsp.txt

Click to view the sample file nowlsp.txt